Skip to content

chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates#2982

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-c3b279e660
Closed

chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates#2982
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-c3b279e660

chore(deps): bump the npm_and_yarn group across 1 directory with 13 u…

407ecfa
Select commit
Loading
Failed to load commit list.
GitHub Advanced Security / Trivy failed Jul 10, 2026 in 5s

53 new alerts including 29 high severity security vulnerabilities

New alerts in code changed by this pull request

Security Alerts:

  • 29 high
  • 21 medium
  • 3 low

Alerts not introduced by this pull request might have been detected because the code changes were too large.

See annotations below for details.

View all branch alerts.

Annotations

Check failure on line 13505 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios: Prototype pollution allows information disclosure and request manipulation High

Package: axios
Installed Version: 1.15.0
Vulnerability CVE-2026-42264
Severity: HIGH
Fixed Version: 1.15.2
Link: CVE-2026-42264

Check failure on line 13505 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution High

Package: axios
Installed Version: 1.15.0
Vulnerability CVE-2026-44494
Severity: HIGH
Fixed Version: 1.16.0
Link: CVE-2026-44494

Check failure on line 13505 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios: Information disclosure due to prototype pollution vulnerability High

Package: axios
Installed Version: 1.15.0
Vulnerability CVE-2026-44495
Severity: HIGH
Fixed Version: 1.15.2, 0.31.1
Link: CVE-2026-44495

Check failure on line 13505 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios: Information disclosure of proxy credentials via HTTP redirects High

Package: axios
Installed Version: 1.15.0
Vulnerability CVE-2026-44486
Severity: HIGH
Fixed Version: 1.16.0, 0.32.0
Link: CVE-2026-44486

Check failure on line 13505 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios: Information disclosure of proxy credentials via redirect flows High

Package: axios
Installed Version: 1.15.0
Vulnerability CVE-2026-44487
Severity: HIGH
Fixed Version: 1.16.0, 0.32.0
Link: CVE-2026-44487

Check failure on line 13505 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios: Denial of Service due to unenforced request and response size limits High

Package: axios
Installed Version: 1.15.0
Vulnerability CVE-2026-44488
Severity: HIGH
Fixed Version: 1.16.0
Link: CVE-2026-44488

Check failure on line 13505 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name High

Package: axios
Installed Version: 1.15.0
Vulnerability CVE-2026-44496
Severity: HIGH
Fixed Version: 1.16.0, 0.32.0
Link: CVE-2026-44496

Check failure on line 20974 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability High

Package: http-cache-semantics
Installed Version: 3.8.1
Vulnerability CVE-2022-25881
Severity: HIGH
Fixed Version: 4.1.1
Link: CVE-2022-25881

Check failure on line 23063 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

lodash: lodash: Arbitrary code execution via untrusted input in template imports High

Package: lodash
Installed Version: 4.17.23
Vulnerability CVE-2026-4800
Severity: HIGH
Fixed Version: 4.18.0
Link: CVE-2026-4800

Check failure on line 23069 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

lodash: lodash: Arbitrary code execution via untrusted input in template imports High

Package: lodash-es
Installed Version: 4.17.23
Vulnerability CVE-2026-4800
Severity: HIGH
Fixed Version: 4.18.0
Link: CVE-2026-4800

Check failure on line 23487 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode High

Package: ssri
Installed Version: 5.3.0
Vulnerability CVE-2021-27290
Severity: HIGH
Fixed Version: 6.0.2, 7.1.1, 8.0.1
Link: CVE-2021-27290

Check failure on line 24204 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality High

Package: uuid
Installed Version: 11.1.0
Vulnerability CVE-2026-41907
Severity: MEDIUM
Fixed Version: 11.1.1, 12.0.1, 13.0.1
Link: CVE-2026-41907

Check failure on line 26585 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

minimatch: minimatch: Denial of Service via specially crafted glob patterns High

Package: minimatch
Installed Version: 9.0.5
Vulnerability CVE-2026-26996
Severity: HIGH
Fixed Version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
Link: CVE-2026-26996

Check failure on line 26585 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns High

Package: minimatch
Installed Version: 9.0.5
Vulnerability CVE-2026-27903
Severity: HIGH
Fixed Version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
Link: CVE-2026-27903

Check failure on line 26585 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions High

Package: minimatch
Installed Version: 9.0.5
Vulnerability CVE-2026-27904
Severity: HIGH
Fixed Version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
Link: CVE-2026-27904

Check failure on line 31889 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

node-fetch: exposure of sensitive information to an unauthorized actor High

Package: node-fetch
Installed Version: 1.7.3
Vulnerability CVE-2022-0235
Severity: HIGH
Fixed Version: 3.1.1, 2.6.7
Link: CVE-2022-0235

Check failure on line 32968 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() High

Package: serialize-javascript
Installed Version: 6.0.2
Vulnerability GHSA-5c6j-r48x-rmvq
Severity: HIGH
Fixed Version: 7.0.3
Link: GHSA-5c6j-r48x-rmvq

Check failure on line 35004 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

tmp is a temporary file and directory creator for node.js. Prior to 0. ... High

Package: tmp
Installed Version: 0.0.33
Vulnerability CVE-2026-44705
Severity: HIGH
Fixed Version: 0.2.6
Link: CVE-2026-44705

Check failure on line 35934 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality High

Package: uuid
Installed Version: 8.3.2
Vulnerability CVE-2026-41907
Severity: MEDIUM
Fixed Version: 11.1.1, 12.0.1, 13.0.1
Link: CVE-2026-41907

Check failure on line 36677 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments High

Package: ws
Installed Version: 8.17.1
Vulnerability CVE-2026-48779
Severity: HIGH
Fixed Version: 5.2.5, 6.2.4, 7.5.11, 8.21.0
Link: CVE-2026-48779

Check failure on line 13505 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios: NO_PROXY bypass via crafted URL High

Package: axios
Installed Version: 1.15.0
Vulnerability CVE-2026-42043
Severity: HIGH
Fixed Version: 1.15.1, 0.31.1
Link: CVE-2026-42043

Check failure on line 13505 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios: Arbitrary HTTP header injection via prototype pollution High

Package: axios
Installed Version: 1.15.0
Vulnerability CVE-2026-42035
Severity: HIGH
Fixed Version: 1.15.1, 0.31.1
Link: CVE-2026-42035

Check failure on line 13505 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios: HTTP Transport Hijacking via Prototype Pollution High

Package: axios
Installed Version: 1.15.0
Vulnerability CVE-2026-42033
Severity: HIGH
Fixed Version: 1.15.1, 0.31.1
Link: CVE-2026-42033

Check failure on line 7693 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality High

Package: uuid
Installed Version: 9.0.1
Vulnerability CVE-2026-41907
Severity: MEDIUM
Fixed Version: 11.1.1, 12.0.1, 13.0.1
Link: CVE-2026-41907

Check failure on line 6446 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions High

Package: minimatch
Installed Version: 3.1.2
Vulnerability CVE-2026-27904
Severity: HIGH
Fixed Version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
Link: CVE-2026-27904